Homework 2

CS255, Spring 2008

Due: Tuesday, May 20

Problem 1

(a) Explain what are httpOnly cookies.

(b) What attack are httpOnly cookies intended to prevent? Give an example attack that does not work if the site uses httpOnly cookies, but works with normal cookies.

(c) Show that httpOnly cookies do not eliminate the class of attacks from part (b). Give an example where httpOnly cookies do not improve security.

Problem 2

(a) State the same origin policy as it applied to the DOM, as clearly and precisely as you can, in one or two sentences. Do the same for the same origin policy as it applies to cookies.

(b) Why is it consistent with the same-origin policy for content from site A to include an image (such as <img src="http://anothersite.com/picture.jpg" >) from another site B?

(c) Suppose that web pages from several sites request images from TripleClick.com. Explain how each site can pass TripleClick some information about the content of the page that will contain the image. Write a variant of the HTML <img src="http://tripleclick.com/picture.jpg" > that passes information to TripleClick as part of the request for a picture.

(d) How can TripleClick use the requests you described in part (c) to build up a database of interests of each web user? Explain the browser mechanism that will let TripleClick tell if two requests for images come from the same user and machine, even if the user changes IP addresses.

Problem 3

JDBC Prepared Statements are explained at http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html. Suppose that a pizza order web site uses a form like the one shown in slide 22 of lecture 10 that asks the user to select a month by number. Assume that the form posted from the user is used to generate an SQL query using a prepared statement using string concatenation. 
     String mname = request.getParameter("month");
     String uid = session.getCurrentUserId());
     PreparedStatement pstmt = conn.prepareStatement
        ("SELECT pizza, toppings, quantity, order_day
          FROM orders
          WHERE userid=" + uid + " AND order_month=" + mname"')"); 
     pstmt.execute(); pstmt.close();

(a) Explain very briefly why this site is vulnerable to SQL injection by explaining what happens if the user posts a form with "0 OR 1=1" for the month.

(b) Suppose this is rewritten to use bind arguments, as in slide 32. What Java error will occur when the user posts a form with "0 OR 1=1" for the month? Explain briefly.

(c) What if months are represented in the database as strings, and the prepared statement query is constructed using 

     ps.setString(2, request.getParameter("month"));
Will this now be vulnerable to SQL injection? Explain why or why not.

Problem 4

In his lecture on phishing, Markus Jakobsson talked about users entering their passwords into deceptive phishing sites. Suppose that Reno Bismark Bank decides to supply its customers with hardware devices that supply so-called one-time passwords. (Two commerial examples are the RSA SecurID and Entrust IdentityGuard tokens.)

(a) The Authentication Department at RBB is debating whether its login page should ask for one password or two passwords each time a customer logs in. Should the page just ask for the new password from the one-time password (OTP) token, or is it better to also ask the customer to enter a long-term passwork like they did before? Explain why.

(b) If a RBB customer enters his password from the OTP device to a deceptive RBB phishing site that collects passwords and then sells them on the underground market, will this password be useful to the buyer? Explain.

(c) If a RBB customer enters his password from the OTP device to a deceptive RBB phishing site that is operating as a man-in-the-middle site to defraud bank customers, will this password be useful to the buyer? Explain.

(d) If a RBB customer loses his or her OTP device, what kind of questions should the RBB web site ask before allowing the customer to pay bills online? Explain.

Problem 5

Recall that when a browser connects to a server using HTTPS (which is HTTP over SSL/TLS), the server sends a certificate to the browser, and the browser checks to make sure that the certificate was issued for the domain the browser requested.

Several years ago, Netscape announced a bug in the way the Navigator browser treated HTTPS connections: if there was one HTTPS connection to a server, then while this session was still open, all new connections via HTTPS to the same site were assumed to be part of the existing SSL session and thus did not require a certificate check. (This bug was fixed the same day it was announced.)

(a) Explain how an attacker could exploit this bug (possibly using DNS cache poisoning), to capture confidential information from someone who thought they had a secure HTTPS session.

(b) DNS-SEC is a set of security extensions to DNS that provide three forms of guarantees:

For the purpose of answering this question, assume that the functions of DNS-SEC are implemented by providing a signed certificate (or set of certificates) that allow a local DNS module to verify that any statement about the IP address of a domain, or a statement that there is no such IP address, comes from a DNS server that is registered as the authoritative DNS server for that domain. For example, if a user wants to get the Stanford CSD home page from http://cs.stanford.edu/, the user's machine will receive cryptographically signed messages that state that (i) the IP address for cs.stanford.edu is 171.64.64.64, and (ii) the server that provides this IP address is authorized to provide IP addresses for stanford.edu.

Can you modify your attack in part (a) to work if DNS-SEC is used? Or will DNS-SEC prevent the attack?

Problem 6

Frame busting, discussed at the end of lecture 8, refers to a technique that enables a web site to ensure that its pages are not opened in a sub-frame of another page.

(a) explain what could go wrong if, say, a banking page is opened in a sub-frame of an attacker's page. You may assume the user is already logged into her account at the banking site. Hint: try to target your attack at users who do not look at the address bar, but instead make trust decisions based on whether personal information is displayed on the page.

(b) IE supports an iframe security attribute invoked as <iframe security="restricted" src="...">. Generally speaking, scripts cannot run in the resulting iframe. Can an attacker use this mechanism to circumvent frame busting code? Can you suggest a way to fix the problem?